Affiliate models, fraud, and why CPL needs a tougher spine

By Simon Delaney

TL;DR

  • • CPL (cost per lead) is where fraud often concentrates because companies neglect verification and fraud detection, and run programmes to get the lowest CPL, not the best data.
  • • CPM/CPC are cheap to fake at scale; CPA/CPS can look clean yet still hide attribution theft without click binding and short windows.
  • • You need verification and fraud detection working together on a purpose-built affiliate flow, with S2S (server to server) signed click IDs and sensible attribution windows.
  • • Sub-networks are where fraud clusters; without placement transparency and sub-publisher disclosure you're buying blind.

Who this is for

You buy affiliate traffic and care about what becomes a sale, not just what becomes a form submit. You want fewer junk leads and more revenue without rebuilding your stack.

Payment models set the incentives

Payment triggers shape behaviour. CPM (cost per thousand impressions) pays when a pixel loads, which encourages printing impressions. CPC (cost per click) pays on the click, so automation leans into that event. CPL (cost per lead) pays when a form is accepted, which invites stolen or synthetic details if you don't verify. CPA/CPS (cost per acquisition or sale) pays when a transaction clears, pushing abuse into last-click hijacks and transactions that unwind later. The earlier the payment sits in the journey, the cheaper it is to fake. The thread that ties this together is people's data and how you verify it. The closer you are to a person with real intent, the less likely it is to be fraud.

Chart showing affiliate fraud by payout model comparing gross fraud rates and residual fraud with protections across CPM, CPC, CPL and CPA models
Illustrative midpoints by trigger. Use the shape, not the exact digits.

What we actually saw, at scale

We ran affiliate traffic to Clear Energy Switching (a brand we built to generate leads for energy brands in the UK) to two destinations built and hosted in Databowl:

https://clearenergyswitching.com/

https://clearenergyswitching.com/amazon-voucher/

Supply came from more than thirty publishers and affiliates, with a deliberate bias towards direct publishers. Leads flowed straight into call centres, competing with Meta, Google and the client's own site. We kept fraud detection on at impression and click, bound every payable event to a signed S2S click ID, used reCAPTCHA and tamper traps, and ran real-time email domain and MX checks, deduplication, velocity rules and address hygiene, with weekly placement and sub-publisher reviews. The pages remain hosted in Databowl; fraud detection and verification are currently turned off because the campaigns are no longer active.

Evidence block (counts only):

Accepted: 102,088

Rejected: 19,104

How rejects clustered:

  • • Duplicates across partners or time
  • • Phone not contactable or invalid (network responses such as absent or unknown subscriber, dead number, call barred)
  • • Email not deliverable (domain or MX failures)
  • • Policy or gating (for example, geo constraints that didn't match the offer)
  • • Bot or tamper signals (reCAPTCHA failures, hidden-field triggers)
  • • Syntax anomalies associated with automation, plus occasional provider or system faults

Direct publishers produced the best quality (and we shifted all budgets towards them) and the lowest fraud; sub-networks carried the highest risk and needed tight caps or exclusion. Protections were strong enough that we effectively ran on CPA with the client while paying CPL for traffic.

People's data signals across the funnel showing where payment triggers and data quality checks occur from impression to conversion
Signals strengthen from device and placement, to click integrity, to email and phone contactability, to payment and retention.

Verification is not fraud detection

They solve different problems and you need both. Verification proves contactability and ownership at the point of capture: email domain and MX checks, deduplication, velocity and address hygiene, plus phone verification where the journey can tolerate it. Fraud detection stops non-human or manipulated activity before it reaches your form: always-on IVT at impression and click, anomaly detection, tamper traps and honeypots. Without verification you pay for plausible junk; without fraud detection you drown the form and force verification to carry everything.

Why CPL needs a tougher spine

CPL feels close to a person, which makes teams hesitate to reject it. A list of leads looks valuable because it looks human, but a lead is only an opportunity until it's contactable and tied to a valid click within a sensible window. Treat identity and provenance as non-negotiable: no valid signed click ID, no payable lead. Keep attribution windows short to limit last-second hijacks, and reconcile returns and complaints before releasing payment.

Table comparing CPL vs CPM/CPC showing fraud effort, bottlenecks and incentives across different payment models
What gets paid, effort to fake, attacker bottlenecks, and why they try it.

Sub-networks and the transparency penalty

Fraud clusters where opacity and arbitrage enter the chain. If a partner can't provide placement disclosure and stable sub-publisher IDs, you're buying blind. In practice that shows up as missing or spoofed referrers, sub-publisher IDs that appear and disappear, mechanical timing patterns, geo drift against UK and EU targeting, and creatives you never approved. Make pass-through IDs and proof of placement a condition of payment, reserve the right to audit log-level data where money changes hands, and walk away if disclosure isn't possible.

Chart showing the sub-network penalty with increasing invalid activity from direct publisher to network to sub-network
Higher invalid activity for blind sub-network supply versus direct publishers.

How to run CPL without funding fraud

The programmes that work share the same spine. Know your sources and refuse undisclosed placements. Keep IVT on so impressions and clicks are filtered before they touch your form. Bind every lead to a signed S2S click ID and reject anything that can't be matched within a reasonable window. Verify people's data in real time with email domain and MX checks, deduplication, velocity and address hygiene, adding phone verification where the journey allows. Keep attribution windows short and block toolbars and coupon injections from last-second hijacks. Pay on terms that reflect reality, with hold periods long enough for cancellations and complaints to surface and clawbacks written into contract. Onboard by graduation: cap new sources, then grow on quality rather than volume, with weekly placement and sub-publisher reviews.

Chart showing impact of data-centric controls on typical fraud reduction across different verification methods
Email and phone verification with always-on IVT delivers the biggest step change. S2S click IDs close attribution gaps.

Choose your operating point on purpose

There's a real trade-off between blocking fraud and keeping false positives low. Stricter rules stop more abuse but can turn away some legitimate leads; softer rules approve more volume but pay for more bad traffic. Pick the operating point deliberately, track appeals and outcomes, and publish thresholds so partners understand what "good" looks like.

Chart showing CPL detection trade-off between fraud blocked, false positives and approval rates
Fraud blocked, false positives and approval rate at different strictness levels.

Contracts, consent and proof

Write transparency into your contracts: placement disclosure, sub-publisher IDs, proof of placement on request, and audit rights. Keep evidence of consent with each lead. Double opt-in reduces complaints and helps you defend the programme. Fraud thrives in grey zones; clear permission and clean data flows make abuse harder and easier to confront.

A checklist worth keeping

  • • Do we know where ads ran and which sub-publishers were involved
  • • Are impressions and clicks screened for IVT in real time
  • • Is every lead verified and deduped before it hits the CRM
  • • Do conversions only pay if they match a secure click identifier
  • • Are attribution windows short and are returns reconciled before payment
  • • Are new sources capped and reviewed until they prove quality

References

Media Rating Council. Invalid Traffic Detection and Filtration Standards. https://mediaratingcouncil.org

IAB Europe and DoubleVerify. Media quality and fraud benchmarks. https://iabeurope.eu and https://www.doubleverify.com

AppsFlyer. State of Mobile App Fraud 2023. https://www.appsflyer.com/resources/reports

IAB. Lead generation definitions and guidance. https://www.iab.com

ASA and CAP. UK advertising guidance. https://www.asa.org.uk and https://www.cap.org.uk

Acronyms and shorthand used

CPM: cost per thousand impressions

CPC: cost per click

CPL: cost per lead

CPA/CPS: cost per acquisition / cost per sale

IVT: invalid traffic

GIVT / SIVT: general / sophisticated invalid traffic

S2S: server to server

ASA / CAP: UK Advertising Standards Authority and Committee of Advertising Practice

GDPR: General Data Protection Regulation